WannaCry Ransomware: What You Need to Know

By
Chloe AlbanesiusMay 16, 2017, 2:16 a.m.

If you've been wondering what WannaCry is and if you're at risk, here's the lowdown.

Hundreds of thousands of PCs were attacked by ransomware known as WannaCry on Friday, throwing government agencies and private businesses around the globe into disarray. If you've been wondering what actually happened, here's the lowdown.

What is WannaCry? WannaCry is the name of a serious strain of ransomware that hit Windows PCs worldwide, starting on Friday. Those who were infected found their computers locked, with hackers demanding a $300 ransom to unlock the device and its files.

How were people infected? Like many malware infections, it appears that human error is to blame. According to The Financial Times, someone in Europe downloaded a compressed zip file that was attached to an email, releasing WannaCry onto that person's PC. Many others did the same, and when all was said and done, at least 200,000 devices were affected globally.

There are some people, however, who are still running aging versions of Windows; 7 percent still run Windows XP despite the fact that Redmond no longer issues security updates for it. So Microsoft took the unusual step of releasing a WannaCry patch for old versions of Windows it no longer supports, including Windows XP, Windows 8, and Windows Server 2003.

Regardless of which version of Windows you have, make sure you're up to date with your security patches.

Ransomware isn't new; why is this such a big deal? WannaCry uses an exploit known as EternalBlue developed by the US National Security Agency (NSA), which used it to go after targets of its own. Unfortunately, EternalBlue and other NSA hacking tools were leaked online last year by a group known as the Shadow Brokers, putting these powerful tools in the hands of anyone able to use them.

Is this still an issue? Quite by accident, a UK researcher known as MalwareTech managed to hobble the spread of WannaCry over the weekend. He acquired a sample of the malware on Friday and ran it a virtual environment. He noticed it pinged an unregistered domain, so he registered it himself, as he often does in these types of situations. Lucky for him (and countless victims), WannaCry only locked PCs if it couldn't connect to the domain in question. Before MalwareTech registered the domain, it didn't exist, so WannaCry couldn't connect and systems were ransomed. With the domain set up, WannaCry connected and essentially died, protecting PCs.

Great, so we're done here? Not so fast. Reports of new WannaCry variants are emerging, so stay alert and watch where you click.

What if my PC was ransomed? While it appears that many people have paid the ransom demanded by the hackers, security experts warn against handing over your cash.

"As of this writing, the 3 bitcoin accounts associated with the WannaCry ransomware have accumulated more than $33,000 between them. Despite that, not a single case has been reported of anyone receiving their files back," Check Point warned in a Sunday blog post. "WannaCry doesn't seem to have a way of associating a payment to the person making it."

If you've been hit, your best bet is to restore from backup; reputable security firms also have ransomware decryption tools. You can also use a tool like the Fix Me Stick; just insert the device, boot to its Linux-based environment, and let it take care of the problem. It might not restore files, but it will (hopefully) clean out the malware. When your PC is back up and running, make sure you have a robust antivirus program and the best ransomware protection.

How can we stop this from happening again? Pay attention to emails with attachments or links; even if the message appears to be from someone you know, double-check the email address and be on the lookout for any odd wording or attachments you weren't expecting from that person. When in doubt, message the person separately to ask if they did indeed send you an email that requires you to download an attachment.

More broadly, meanwhile, Microsoft took the NSA to task for "stockpiling" these vulnerabilities.

"This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," Microsoft's president and chief legal officer, Brad Smith, wrote in a blog post that likened the leaks to the US military "having some of its Tomahawk missiles stolen."

About the Author

Chloe Albanesius has been with PCMag.com since April 2007, most recently as Executive Editor for News and Features. Prior to that, she worked for a year covering financial IT on Wall Street for Incisive Media. From 2002 to 2005, Chloe covered technology policy for The National Journal's Technology Daily in Washington, DC. She has held internships at NBC's Meet the Press, washingtonpost.com, the Tate Gallery press office in London, Roll Call, and Congressional Quarterly. She graduated with a bachelor's degree in journalism from American University in Washington, D.C. See Full Bio